Protect Your OSP with logfinder

Online service providers are increasingly being served with subpoenas from both companies and government to
hand over personal data about their users' activities. In October 2004, the Electronic Frontier Foundation issued a
white paper on best practices for online service providers (OSPs), and last week EFF released a software tool called logfinder to help
OSPs locate and identify log files they may not even know they have.

OSPs, as defined in the DMCA and the Patriot Act, encompass far more than Internet service
providers or online communities. OSPs may include web site operators and even bloggers who allow visitors
to post their own blogs. "Virtually any web site or access intermediary, not just established subscriber-based businesses,
can be considered an OSP under the law," according to EFF's white paper on the subject. "Indeed, even
individuals may be accidental OSPs, if they set up WiFi access points to share Internet connectivity with friends
and neighbors."

The risk is not theoretical, says Seth Schoen, staff technologist for EFF. "Organizations with records are getting
more and more compliance requests over time," mostly from private parties, he said. As for the increased
powers the Patriot Act affords government, "There's a perception that there are more Patriot Act requests. A lot
of those powers are exercised in secret, and those who receive requests are often not allowed to tell
anyone, so it's hard to get accurate information about it," he said. EFF recently filed a Freedom of Information Act request to try to get more details on Patriot Act-related subpoenas.

EFF's core suggestion is that OSPs do not keep records of user activity, and if they do keep records, to limit the
number of records they keep, perhaps by deleting all records after a few weeks. The idea is that no one can demand
something from you that you don't have. At least that's the case in the United States.

"It's not true everywhere that people have as much discretion as they do in the U.S.," said Schoen, "but our
interpretation is that for most people who retain records, you have discretion to decide which records to
maintain, and you can't be punished for not having kept records."

While there are exceptions, such as the financial and health industries, which are specifically regulated, Schoen said, "It's not
true for web publishers; they're not required to know who their readers are. If they do know, they're not required
to keep records."

"We want to remind people they have the ability to set a policy, and if you're collecting information you
should set a policy," Schoen said. "Given the increase in subpoena activity, the practice of logging
everything is a bad practice. It might be tempting for someone to try to get all that data from you."

To help OSPs protect themselves, EFF released a tool last week, logfinder, to identify the logs that might be
hiding on your system. "It's an illustrative means of becoming aware of the locations of logs on a system," said Schoen, the author of the tool. "It's not exhaustive, but it should give you an idea. There may be cases
where system administrators are not even aware of what's being logged," since many tools log by default.

"We're not saying this program is guaranteed to find all the personal information on your system, but it is useful as
one thing that sysadmins can do," Schoen said.

The idea of deleting logs doesn't come naturally to system administrators, Schoen said. "The idea of a user data
retention policy is familiar to corporate lawyers; they understand the liability risks in keeping everything
forever. Sysadmins as a profession haven't taken this to heart yet. Depending on the size of an organization,
sysadmins may or may not be responsible for policy."

The bottom line: if your organization doesn't have a policy on retaining personally identifiable information, set
one. And when you set your policy, keep as few records as possible and retain them for as short a time as
possible. For instance, compile the general usage statistics useful for your business needs and then delete the
raw logs. In addition, as EFF's white paper points out, organizations can obscure personally identifying
information in order to compile general statistics. In all cases, when useful information has been gleaned from the
logs, delete them.